How does Trident handle CHAP Secrets when connecting to a SolidFire array
Applies to
Trident
Answer
When configuring CHAP for Trident to authenticate with a SolidFire array, the CHAP secrets come from the SolidFire Account. CHAP is automatically defined when the Account is created. All volumes belonging to the account use the secrets which are configured in the Account. If the volume is not in any Volume Access Group (VAG), CHAP secrets are verified.
Trident sets up an iSCSI static discovery entry with CHAP information on the worker node where the pod is assigned. Then, completes the iSCSI login and mounts the volume so that the Pod can access the Persistent Volume.
A Container which needs access to the volume doesn’t mount the SolidFire Volume directly, the Host Client mounts the SolidFire Volume using standard iSCSI commands.
- The SolidFire account name is the the Trident Tenant name.
- The CHAP Secrets are automatically generated when an account is created.
- Volumes created via Trident belong to the account.
- Trident gets the CHAP secrets from the SolidFire cluster by using Element API calls when a trident volume is created.
- Trident runs SolidFire Element APIs such as GetAccountByName to get account information using the credential set in the backend file
Create an Account example:
Account Details example:
When you create the backend file, set UseCHAP to true.
Example backend file:
{ "version": 1, "storageDriverName": "solidfire-san", "Endpoint": "https://<user>:<password>@<mvip>/json-rpc/8.0", "SVIP": "<svip>:3260", "TenantName": "<tenant>", "labels": {"k8scluster": "dev1", "backend": "dev1-element-cluster"}, "UseCHAP": true, "Types": [{"Type": "Bronze", "Qos": {"minIOPS": 1000, "maxIOPS": 2000, "burstIOPS": 4000}}, {"Type": "Silver", "Qos": {"minIOPS": 4000, "maxIOPS": 6000, "burstIOPS": 8000}}, {"Type": "Gold", "Qos": {"minIOPS": 6000, "maxIOPS": 8000, "burstIOPS": 10000}}] }
Additional Information
Related CHAP Article - "Unkown CHAP Username" iSCSI events in Element Software when attempting to connect to storage from ESXi